Nobitex Hack May Be Linked to Israeli Spy Arrests in Iran-Backed Crypto Plot

The recent $90 million cyberattack on Nobitex, Iran’s largest crypto exchange, may have exposed more than just security vulnerabilities—it could also be connected to a developing espionage case involving Israeli citizens allegedly recruited by Iran, according to a new analysis by TRM Labs.

Three Israeli Citizens Arrested for Spying on Behalf of Iran Paid in Crypto | TRM Blog

Israeli citizens arrested for spying for Iran in exchange for crypto. TRM Labs explores how digital assets are reshaping espionage and intelligence tradecraft.

TRM Blog

On June 24, Israeli authorities revealed they had arrested three suspects, aged 19 to 28, accused of carrying out surveillance and other covert tasks in exchange for cryptocurrency. Their alleged activities included photographing military sites, tagging pro-Iran slogans, and tracking high-profile Israeli officials.

The twist? The arrests came just six days after the Nobitex breach—a cyberattack attributed to Gonjeshke Darande (also known as Predatory Sparrow), a pro-Israel hacking group known for targeting Iranian digital infrastructure. Now, analysts are investigating whether the hack may have yielded sensitive internal data that helped identify those allegedly involved in the espionage ring.

Hack, Leak, Arrest: A Timeline Worth Scrutinizing

TRM Labs, a blockchain intelligence firm, noted that data from Nobitex was leaked just one day after the attack, suggesting the hackers had deep access to the exchange’s systems. While there's no confirmed link between the breach and the spy arrests, investigators believe the stolen information may have included wallet records, KYC files, or internal communications that were used to trace crypto payments from Iranian handlers to their Israeli recruits.

According to Israeli officials, the suspects were paid in cryptocurrency through anonymized channels. However, investigators were able to track the transactions on-chain, providing a key trail of evidence in the case.

Espionage Meets Crypto

The potential overlap between the Nobitex hack and the arrests highlights how digital assets and cyber warfare are increasingly intertwined. Both Israeli cybersecurity units and Gonjeshke Darande have a history of blending offensive cyber tactics with intelligence gathering. In this case, the hackers may have inadvertently—or intentionally—uncovered clues that fed directly into a national security operation.

Deeper Trouble at Nobitex?

The breach has also shed light on suspicious past activity at Nobitex itself. Separate blockchain investigations have revealed structured fund transfers and stealth tactics suggestive of money laundering or links to illicit actors. Some wallets connected to the exchange have reportedly been involved in questionable transactions well before the June 18 incident.

These findings raise new questions about Nobitex’s internal controls and transparency. While the exchange has not publicly addressed these allegations, scrutiny is expected to increase as investigators dig further into both the hack and its possible intelligence fallout.